Code Locket Menu

Adobe Invoice Malware Scam

Blog post created on 2014-10-20

EmailMalware

Alas, configuring a multi user multi domain email server is one of the most difficult system administration tasks I have done to date. The set up though, is just the beginning of the problems.

SPAM and SCAMs become your old friends and it is sometimes interesting to investigate these little natural occurrences. Just today I received an email entitled Adobe Invoice and it read:

Dear Customer, 
Thank you for signing up for Adobe Creative Cloud Service. 

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service

The email also had a nice little attachment called adb-102288-invoice.zip. Admittedly I can see how these sort of attacks can infect many computers, especially those owned by Adobe clients, but any seasoned user would simply hit delete and be done with it.

If you are unsure however, with very little effort, you can verify the legitimacy (or not) of the email at hand. The golden rule is simple: never click on a link within an email, always log-in to the relevant account manually and verify any outstanding matters directly on the website.

On the other hand if we were a malware researcher we would start a proper forensic investigation. Let's give it a go for a few minutes.

First thing let's open the raw email. You can do this with any email software, have a look in your options. Once found here are the headers (I have redacted my domains):

Return-Path:  <billing@adobe.com>
X-Original-To: michael.tremante@#REDACTED#.com
Delivered-To: michael.tremante@#REDACTED#.com
Received: from localhost (localhost [127.0.0.1])
  by mail.#REDACTED#.net (Postfix) with ESMTP id C260EA0002
  for  <michael.tremante@#REDACTED#.com>; Mon, 20 Oct 2014 15:26:34 +0100 (BST)
X-Virus-Scanned: amavisd-new at #REDACTED#.net
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: couldn't parse head;
  error near:;
  UEsDBBQAAAAIACqTVEVXb/vpSEABAADGAQAGAAAAYzMuZXhl7Ft3WBPBEs8ltFCECKIRVCKI;
  RIpGsD1QKYZqICjYsYMUEUViQ9R4YogRK4gNxd5QUEFRQQIoVSEEJSRBQEQJBulyIEjebvJ6;
  /d7/bz+529vbnZ39zezM7FxkrDqFI+BwODXwp1DgcDngDovzn+7/qRwCf6Mmv[...]
Received: from mail.#REDACTED#.net ([127.0.0.1])
  by localhost (mail.#REDACTED#.net [127.0.0.1]) (amavisd-new, port 10024)
  with LMTP id bp282vzFF3wN for  <michael.tremante@#REDACTED#.com>;
  Mon, 20 Oct 2014 15:26:29 +0100 (BST)
Received: from 55.52.153.190.net-uno.net (unknown [190.153.52.55])
  by mail.#REDACTED#.net (Postfix) with ESMTP id 1BF4CA0001
  for  <michaeltremante@#REDACTED#.com>; Mon, 20 Oct 2014 15:26:27 +0100 (BST)
Message-ID:  <D8300D9A.BA35A276@adobe.com>
Date: Mon, 20 Oct 2014 09:56:11 -0430
From: "Adobe Billing"  <billing@adobe.com>
MIME-Version: 1.0
To: michaeltremante@#REDACTED#.com
Subject: Adobe Invoice

First thing to note is the sending email server: 55.52.153.190.net-uno.net. If we visit the domain we immediately notice that the website has nothing to do with Adobe or any other internet connectivity provider which may be relaying emails. This is already an indication that the email has been sent by a compromised server. We can also check the IP address 190.153.52.55 in one or more of the most used blacklist providers, for example SpamHaus. By inserting the IP address in the form we notice that (at the time of writing), the IP is indeed blocked in the XBL blacklist. This is a real-time list of IP addresses of computers that have been infected by 3rd party exploits. Basically a hacker has control of this machine. Digging further and following the reports provided by SpamHaus we also find out that the server has been infected with a computer worm called Conficker.

We could keep on investigating but for now let's go back to our email as we were provided with a nice little ZIP file. For any sort of downloadable file (including executables) the first place to visit is Virus Total.

Virus Total has been recently acquired by Google and enables us to upload/submit any file or link. This will then be scanned by all well known anti virus software and all the results will be reported in an easily readable format. The service is currently provided for free. Be careful though, you would not want to fiddle with the attachment unless you were working within a virtual machine to avoid any risk of infecting your computer by mistake. Luckily I found a report for the same file that had been submitted by another user. At the time of writing this report was only 8 hours old and only 4 out of 54 anti virus software detected this file as being malicious... so be warned, anti virus software IS NOT a safe catch-all solution.

The Virus Total report is very detailed but at this point a real researcher would actually run and decompile the file on a test machine to investigate exactly what actions it performs and how dangerous it might be. Usually the software would connect to other servers to upload personal information or perform other malicious actions. I will leave this topic for a future post.

I wanted to finish pointing out that the hackers in this instance likely DID NOT send out the malware to any random email address but rather used a targeted list. As I mentioned I am in possession of an Adobe account and back in October 2013 Adobe servers were hacked and more than 38 million accounts were compromised. My old email address was part of this list and since the email I received was sent to this old email address I am nearly sure the hackers used the list of compromised accounts to target their attack. This can make us only wonder how many Adobe customers are likely going to fall victim of this malware scam.